Configure Proxy Chaining with Blue Coat Proxy

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)	Prisma Access license.

Proxy chaining creates a multihop internet pathway by cascading multiple proxy servers for an additional layer of security or due to compliance. Each server forwards your traffic to the next, ultimately reaching the internet. This technique uses your existing network infrastructure and enables connecting to an upstream proxy for secure HTTP and HTTPS communication. The integration preserves user browser settings while enhancing security and control.

Why enterprises use the proxy chaining feature:

1. Enhanced Privacy and Anonymity by offering multilayered protection and bypassing geo-restrictions.
2. Security and Control by filtering malicious content, spam, and phishing attempts by adding an extra layer of security to the user’s browsing experience.
3. Companies can use proxy chaining to enforce internal policy rules by restricting access to certain websites or services based on user roles or locations.
4. Instead of deploying a new system, proxy chaining allows you to utilize your existing network infrastructure by connecting to an upstream proxy server for specific tasks. This can be a cost-effective and efficient solution.

Learn more about how Prisma Access Explicit Proxy works.

Here’s the scenario when customers want to proxy chain the traffic from the on-premises Blue Coat proxy to the Prisma Access Explicit Proxy. The on-premises Blue Coat proxy authenticates users and passes the username to Prisma Access Explicit Proxy using X-Authenticated-User (XAU) header insertion on the Blue Coat proxy.

The static route and destination NAT for the Explicit Proxy IP addresses are required in no default route networks.

1. Configure Prisma Access.

   1. Set up Explicit Proxy.
   2. Add Blue Coat Explicit Proxy as a Trusted Source Address.

      1. Select WorkflowsPrisma Access SetupExplicit ProxyAdvanced Security SettingsAdd Address.
      2. Enter the IP address for the Blue Coat Explicit Proxy.
         You can add either IP addresses or subnets.
      3. Select Use X-Authenticated-User (XAU) header on incoming HTTP/HTTPS requests for Identity.

2. Perform configuration on Blue Coat Proxy.

   1. Enforce authentication.

   2. Configure the forwarding layer.

   1. Obtain the IP address of Prisma Access Explicit Proxy.
      1. In Strata Cloud Manager, select WorkflowsPrisma Access SetupExplicit ProxyInfrastructure Settings.
      2. Copy the Proxy FQDN.

   2. Enable HTTPS decryption for header insertion.
      Decryption is mandatory for header insertion.

   3. Configure header forwarding.
      The client IP address received through the XFF header is simply logged and can't be leveraged for policy.
   4. Set header value encoding to base64:

      define action Encode_All_XFF
        set( request.x_header.X-Authenticated-User, "$(user:encode_base64)" )
      end
      
      define action x-authenticate
        set( request.x_header.X-Authenticated-User, "WinNT://($$domain)/($$user):encode_base64" )
      end
      

3. Verify the configuration.

   1. In Strata Cloud Manager, select Incidents and AlertsLog Viewer
   2. Check the X-Forwarded-For and the Users columns to verify that the user and IP address information is visible on Prisma Access.
4. Consider these points:

   1. The Blue Coat proxy requires authentication and decryption to insert XAU header information.
   2. The X-Authenticated-User authentication header value should be in Base64 format.
   3. Prisma Access Explicit Proxy can see the user identity for the decrypted traffic.